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REMARKS 

Reconsideration and further examination are respectfully requested. 
Restriction Requirement 

Applicant hereby elects the prosecution of the claims identified in Group I (claims 1-15 
and 23-26). The remaining claims 16-22 and 27-30 have been withdrawn. 

Double Patenting 

Claims 1-4, 12-15 and 23-26 were rejected under the judicially created doctrine of 
obviousness-type double patenting as being unpatentable over claims of co-pending application 
10/661,903. Applicants acknowledge that a terminal disclaimer may be filed to overcome this 
rejection. However, because the claims of both applications are currently pending and subject to 
amendment, Applicants will delay determination as to whether a filing of the terminal disclaimer 
is a proper course of action until an allowable set of claims has been identified. 

Rejections under 35 U.S.C. $102 

Claims 1, 2, 4-6, 8, 9, 1 1-14, 23, 24 and 26 were rejected under 35 U.S.C. § 102(e) as 
being anticipated by Liu (U.S. Patent 2002/0154635) which incorporates the reference of Caronni 
etal. (U.S. Patent 6,970,941). 

Liu: 

Liu describes a method of enabling communications between a first private network and a 
second private network. As described in the Abstract of Liu: "...When communicating a packet 
from the first private network to the second private network, a computer receives a packet from a 
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source node in the first private network. The computer then determines whether the packet is 
destined for the second private network. Thereafter, if the packet is destined for the second 
private network, the computer forwards the packet to a destination node in the second private 
network. When communicating a packet from the second private network to the first private 
network, a computer receives a packet from a source node in the second private network..." 

Liu therefore describes a method and apparatus for communicating between private 
networks. 



Caronni: 

Caronni describes establishing a 'Supernet' which is a private network that uses 
components from a public-network infrastructure. At col. 4, lines 36-60 Caronni describes: 

"... A Supernet allows an organization to utilize a public-network infrastructure for its 
enterprise network so that the organization no longer has to maintain a private network 
infrastructure; instead, the organization may have the infrastructure maintained for them by one 
or more service providers or other organizations that specialize in such connectivity matters. As 
such, the burden of maintaining an enterprise network is greatly reduced. ... 

Supernets also provide heterogeneous addressing functionality. The Supernet uses a 
separate layer that isolates address names of nodes from addressing schemes and delivery 
schemes. The Supernet contains a modification to the IP packet format that can be used to 
separate network behavior from addressing. As a result of the modification, any delivery scheme 
may be assigned to any address, or group of addresses...." 

Caronni describes the address translation scheme in more detail at column 6, lines 6-25: 

"... the system provides address translation in a transparent manner. Since the 
Supernet is a private network constructed from the infrastructure of another network, the 
Supernet has its own internal addressing scheme, separate from the addressing scheme of 
the underlying public network. Thus, when a packet from a Supernet node is sent to 
another Supernet node, it travels through the public network. To do so, the Supernet 
performs address translation from the internal addressing scheme to the public addressing 
scheme and vice versa. By separating the addressing schemes, the Supernet creates a 
flexible delivery scheme that is easily changeable by network software or a system 
administrator. To reduce the complexity of Supernet nodes, system-level components of 
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the Supernet perform this translation on behalf of the individual nodes so that it is 
transparent to the nodes. Another benefit of the Supernets' addressing is that it uses an IP- 
based internal addressing scheme so that preexisting programs require little modification 
to run within a Supernet..." 

The Supernet of Caronni is thus merely a virtual network layered on top of the Internet IP 
network. For example, as described in the Abstract of Caronni 'The virtual network uses a 
separate layer to create a modification to the IP packet format that is used to separate network 
behavior from addressing..." 

Figure 4 of Caronni illustrates an embodiment of the Supernet, which includes multiple 
nodes 316, 318, 320 and 322 which communicate with each other via shared channels. As 
described at column 5, lines 7-11 of Caronni "... When communicating among themselves, the 
nodes 316, 381, 320 and 322 serve as end points for the communications..." 

At column 12, lines 10-20, Caronni recites: 

"... When encrypting the packet, the virtual source node address 642, the virtual 
destination node address 644, and the data may be encrypted (addressing section 660), but the 
source and destination real addresses 614, 616 (delivery scheme section 670) are not, so that the 
real addresses can be used by the public network infrastructure to send packets to the 
destination..." 

Applicant's Argument: 

It is well known that "A claim is anticipated only if each and every element as set forth in 
the claim is found, either expressly or inherently described, in a single prior art reference." 
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Verdegaal Bros. v. Union Oil Co. of California, 814 F.2d 628, 631, 2 USPQ2d 1051, 1053 (Fed. 
Cir. 1987)..." (M.P.E.P. 2131) Applicants respectfully submit that neither Liu nor Caronni, alone 
or in combination teach or suggest every element of the independent claims of the present 
invention. 

As described above, Liu describes a system and method of interfacing two different 
private networks. Thus, Caronni describes encrypting the virtual source and destination 
addresses, and appending a Supernet header and Outer IP header to communications to 
implement a Supernet. 

In contrast, the claimed invention, as amended, now clearly recites that the transformed 
packet of the present invention introduces a new 'group' header, which includes a gateway 
source address and group identifier. This group header is encrypted, while the original header is 
used to forward the packet across the backbone. The advantage of such a configuration reduces 
the number of point to point connections in the network, and thus reduces the amount of routing 
information that must be stored, while preserving data as it is transferred across the internet, as 
described at page 10 of Applicant's specification, which recites: 

'With such an arrangement, the amount of data that needs to be stored at each of the 
trusted ingress and egress points is limited to the number of private groups in the VPN, rather 
than the number of connection paths.. .The present invention modifies the existing concepts of 
where the security boundaries need to be established in order to facilitate network scalability..." 

No such advantage is realized by Caronni or Liu, either alone or in combination. 

Applicants respectfully note the contrast between Figure 4 of Caronni and Figure 3 of the 
specification of the present application, which clearly illustrate various sites (Site 1, Site 2, Site 3 
and Site 4) which are coupled together via a provider backbone. Applicant has amended the 
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claim to more clearly recite that the gateway source address, associated with the source site, is 

inserted in the transformed packet. No such structure is shown of suggested by Caronni or Liu, 

alone or in combination. 

Claims 1. 2. 4-6. 8. 8. 11-14, 23. 24 and 26: 

Independent claim 1 recites the steps of "...receiving a packet including a private network 
address comprising a source address, a destination address and a payload ... apportioning the 
packet into a first portion and a second portion, wherein the first portion includes fields of the 
packet used for transmission of the packet according the protocol of the backbone including the 
private network address and the second portion includes the payload ... appending a gateway 
source address associated with the source address of the packet to the second portion and 
transforming the second portion of the packet according to a group security association 
associated with the private network to provide a transformed portion ... appending the first 
portion of the packet to the transformed portion to provide a transformed packet; and transmitting 
the transformed packet to the backbone using the private network address..." 

Claim 1 is therefore patentably distinct over Caronni and Liu, which neither describe or 
suggest 'appending a gateway source address' to the packet. 

Independent claim 12, as amended, is also patentably distinct from Caronni and Liu, 
alone or in combination, for at least the reason that neither reference suggests "...generating a 
second header, the second header including a gateway source address associated with the source 
address in the first header, and a destination address identifying the private network...'" 

Independent claim 23 is also patentable over Liu and Caronni, alone or in combination, 
for at least the reason that neither describe nor suggest "...An apparatus at a node for 
transforming packets for forwarding between a plurality of members of a group communicating 
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on a scalable private network over a backbone, each of the plurality of group members 
communicating with the backbone via respective gateways, wherein the backbone operates 
according to a protocol, the apparatus comprising ... a key table, the key table including a security 
association for each group that the node is a member; transform logic comprising means for 
modifying packets received from a source member of the group for transfer on a private network 
over the backbone by inserting, into the received packet, a group identifier associated with the 
private network and a gateway address associated with a source member, the transform logic 
being operable to apply a security association to only a portion of each packet transmitted over 
the private network associated with each group to ensure that a remaining portion of the packet 
enabling communication over the backbone according to the protocol is preserved; and 
forwarding logic for forwarding communication between members of the group using a private 
network address associated with the group..." 

Dependent claims 2, 4-6, 8, 9, 11, 13, 14, 24 and 26 are allowable for at least the reason 
that they serve to add further patentable limitations to an allowable parent claims, and it is 
therefore requested that the rejection of these claims be withdrawn. 

In addition to the fact that the claims depend upon patentable independent claims, there 
are several limitations in the claims which further distinguish over Liu and Caronni. 

For example, claim 5 recites "...generating a group header associated with the private 
network... appending the group header to the second portion of the packet prior to the step of 
transforming the second portion of the packet to provide a modified packet; and ... transforming 
the modified packet according to the group security association associated with the private 
network to provide the transformed packet" Applicants respectfully note that claim 5 depends 
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upon claim 1, and provides further descriptive limitations regarding the second portion of the 
packet, which is encrypted in claim 1 . 

Although the Examiner alleges that Caronni teaches the step of 'generating a group 
header...' at column 7 and 'appending the group header to the second portion ...'at column 11, 
and 'transforming the modified packet ...'at columns 11,7 and 3. However, no mention or 
suggestion is provided in Caronni of transforming the group information as recited in the claims. 
Rather, column 1 1 merely describes that a Supernet ID is appended to a socket structure. 
Column 7 describes that a VARPD table stores mappings of Supernet IDs to network addresses, 
and column 3 describes that the virtual network uses separate layered addresses. No mention or 
suggestion is therefore found regarding a second header portion that includes a group identifier 
and that is transformed, as recited in claim 5. Accordingly, for this additional reason claim 5 is 
patentably distinct over Liu and Caronni, and it is requested that for this additional reason the 
rejection be withdrawn. 

In addition, with regard to claim 6, although the Examiner states that 'a selected group 
address and group type can be used for any type of delivery scheme', it is respectfully submitted 
that the references fail to teach the limitations of the claims as recited. Thus, no mention is 
found or suggested in Liu or Caronni, alone or in combination of 'and wherein the group header 
comprise a group type, the gateway source address, a group address and a and wherein the step of 
generating a group header includes the step of copying the type of the first header to the group 
type...' as recited in claim 6 and it is therefore respectfully requested that for this additional 
reason the rejection be withdrawn. 
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Rejections under 35 U.S.C. § 103(a) 
Claims 3. 15 and 25: 

Claims 3, 15 and 25 were rejected under 35 U.S.C. § 103(a) as being unpatentable over 
Liu in view of Alkhatib et al. (U.S. Patent 2003/0233454). 



Alkhatib: 

Alkhatib describes, in the abstract: 

"...A system is disclosed for establishing a public identity for an entity on a private 
network. In one embodiment, a first entity can initiate a request to create a binding of a public 
address to a private address for itself. The existence of this public address for the first entity can 
be made known so that other entities can use the public address to communicate with the first 
entity. The present invention allows entities outside of a private network to initiate 
communication with an entity inside a private network..." 

The Examiner states, at page 1 1 of the office action: 

"... Liu does not disclose expressly an edge device is disposed between a first member of 
a private network and the backbone and wherein the step of transforming is performed at the 
edge device... Alkhatib teaches an edge device is disposed between the first member of the 
private network and the backbone, and wherein the step of transforming is performed at the edge 
device ... 

It would have been obvious to a person of ordinary skill in the art .... to combine the 
teaching of Alkhatib within the sytem of Liu because (a) Liu teaches a mechanism to extend 
private networks into a public infrastructure ... and (b) Alkhatib teaches providing a method to 
create a binding between public addresses when communicating over a private network..." 



Applicant's Argument 
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It is well known that to "establish a prima facie case of obviousness, three basic criteria 
must be met. First, there must be some suggestion or motivation, either in the references 
themselves or in the knowledge generally available to one of ordinary skill in the art, to modify 
the reference or to combine reference teachings. Second, there must be a reasonable expectation 
of success. Finally, the prior art reference (or references when combined) must teach or suggest 
all the claim limitations. The teaching or suggestion to make the claimed combination and the 
reasonable expectation of success must both be found in the prior art, not in applicant's 
disclosure. In re Vaeck, 947 F.2d 488, 20 USPQ2d 1438 (Fed. Cir. 1991)." (M.P.E.P. 2143). 

No motivation for the modification of references is shown or suggested by the Examiner 

The mere fact that references can be combined or modified does not render the resultant 
combination obvious unless the prior art also suggests the desirability of the combination. In re 
Mills, 916 F.2d 680, 16 USPQ2d 1430 (Fed. Cir. 1990) A statement that modifications of the 
prior art to meet the claimed invention would have been '" well within the ordinary skill of the art 
at the time the claimed invention was made'" because the references relied upon teach that all 
aspects of the claimed invention were individually known in the art is not sufficient to establish a 
prima facie case of obviousness without some objective reason to combine the teachings of the 
references. Ex parte Levengood, 28 USPQ2d 1300 (Bd. Pat. App. & Inter. 1993). 

Although the Examiner has stated that the references teach the various limitations, the 
Examiner has provided no reason why one would be motivated to combine these teachings. For 
at least this reason the rejection under 35 U.S.C. §103 is improper and should be withdrawn. 
The Proposed Modification renders the prior art unsatisfactory for its intended purpose 
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In combining Caronni/Liu with Alkhatib, the Examiner is ignoring the desire of Caronni 
to develop a Supernet, which is layered over the virtual addresses to separate network behavior 
from addressing. For at least the reason that the combination would frustrate the desired goals of 
Caronni, it is requested that the rejection be withdrawn. 

Combination neither describes nor suggests the limitations of the claims 

However, assuming that one would be motivated to combine the teachings of Alkhatib 
with Caronni/Liu, the combination would still neither describe or suggest the limitations of the 
claims. As discussed above, Caronni/Liu fails to describe the steps of generating a group header 
which includes a gateway address and is transformed for forwarding over the backbone, while 
retaining a portion of the addressing information for routing across the backbone. Alkhatib does 
nothing to overcome the inadequacies of the Caronni/Liu references. For this additional reason, 
it is requested that the rejection of claims 3, 15 and 25 be withdrawn. 

Claim 7: 

Claim 7 was rejected under 35 U.S.C. § 103(a) as being unpatentable over Liu 
(2002/0154635) which incorporates Caronni. 

Claim 7 recites the steps of "...wherein the first header further includes a length, the group 
header further includes a group length, and wherein the method includes the steps of copying the 
length to the group length..." 

The Examiner states, with regard to claim 7 "... Examiner notes any of the standard 
protocol format obviously conforms to standard T/L/V fields ... as a complete layout of a 
protocol specification..." The Examiner appears to be ignoring the limitations of the claims, and 
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has failed to show first why Caronni/Liu would be motivated to add an additional length field 
and copy length fields from one header to another. For at least the reason that the Examiner's 
rejection does not satisfy the prima facie requirements for an obviousness rejection it is requested 
that the rejection be withdrawn. 

Claim 10: 

Claim 10 was rejected under 35 U.S.C. § 103(a) as being unpatentable over Liu in view of 
Boden et al. (U.S. Patent 6,330,562). 
Boden: 

Boden describes, in the Abstract "...A data model for abstracting customer-defined VPN 
security policy information. By employing this model, a VPN node (computer system existing in 
a Virtual Private Network) can gather policy configuration information for itself through a GUY, 
or some distributed policy source, store this information in a system-defined database, and use 
this information to dynamically negotiate, create, delete, and maintain secure connections at the 
IP level with other VPN nodes...." 

The Examiner relies on Boden as teaching an Internet Key Encrpytion. However, 
Applicants note that Boden fails to overcome the inadequacies of Liu as described above. For at 
least the reason that the combination of references fails to describe or suggest every limitation of 
the claims, it is requested that the rejection be withdrawn. 
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Conclusion: 



Applicants have made a diligent effort to place the claims in condition for allowance. 
However, should there remain unresolved issues that require adverse action, it is respectfully 
requested that the Examiner telephone Applicants' Attorney at the number listed below so that 
such issues may be resolved as expeditiously as possible. 

For these reasons, and in view of the above amendments, this application is now 
considered to be in condition for allowance and such action is earnestly solicited. 
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